rfc9201xml2.original.xml | rfc9201.xml | |||
---|---|---|---|---|
<?xml version="1.0" encoding="utf-8"?> | <?xml version="1.0" encoding="UTF-8"?> | |||
<!-- This template is for creating an Internet Draft using xml2rfc, | <!DOCTYPE rfc [ | |||
which is available here: http://xml.resource.org. --> | <!ENTITY nbsp " "> | |||
<!DOCTYPE rfc SYSTEM "rfc2629.dtd" [ | <!ENTITY zwsp "​"> | |||
<!-- One method to get references from the online citation libraries. | <!ENTITY nbhy "‑"> | |||
There has to be one entity for each item to be referenced. | <!ENTITY wj "⁠"> | |||
An alternate method (rfc include) is described in the references. --> | ||||
<!ENTITY RFC2119 SYSTEM | ||||
"http://xml.resource.org/public/rfc/bibxml/reference.RFC.2119.xml"> | ||||
<!ENTITY RFC6749 SYSTEM | ||||
"http://xml.resource.org/public/rfc/bibxml/reference.RFC.6749.xml"> | ||||
<!ENTITY RFC7252 SYSTEM | ||||
"http://xml.resource.org/public/rfc/bibxml/reference.RFC.7252.xml"> | ||||
<!ENTITY RFC7800 SYSTEM | ||||
"http://xml.resource.org/public/rfc/bibxml/reference.RFC.7800.xml"> | ||||
<!ENTITY RFC8152 SYSTEM | ||||
"http://xml.resource.org/public/rfc/bibxml/reference.RFC.8152.xml"> | ||||
<!ENTITY RFC8174 SYSTEM | ||||
"http://xml.resource.org/public/rfc/bibxml/reference.RFC.8174.xml"> | ||||
<!ENTITY RFC8259 SYSTEM | ||||
"http://xml.resource.org/public/rfc/bibxml/reference.RFC.8259.xml"> | ||||
<!ENTITY RFC8705 SYSTEM | ||||
"http://xml.resource.org/public/rfc/bibxml/reference.RFC.8705.xml"> | ||||
<!ENTITY RFC8747 SYSTEM | ||||
"http://xml.resource.org/public/rfc/bibxml/reference.RFC.8747.xml"> | ||||
<!ENTITY RFC8949 SYSTEM | ||||
"http://xml.resource.org/public/rfc/bibxml/reference.RFC.8949.xml"> | ||||
<!ENTITY I-D.ietf-ace-oauth-authz SYSTEM "http://xml.resource.org/public/rfc/bib | ||||
xml3/reference.I-D.ietf-ace-oauth-authz.xml"> | ||||
]> | ]> | |||
<?xml-stylesheet type='text/xsl' href='rfc2629.xslt' ?> | <rfc xmlns:xi="http://www.w3.org/2001/XInclude" docName="draft-ietf-ace-oauth-pa | |||
<!-- used by XSLT processors --> | rams-16" number="9201" ipr="trust200902" obsoletes="" updates="" submissionType= | |||
<!-- For a complete list and description of processing instructions (PIs), | "IETF" category="std" consensus="true" xml:lang="en" tocInclude="true" tocDepth= | |||
please see http://xml.resource.org/authoring/README.html. --> | "4" symRefs="true" sortRefs="true" version="3"> | |||
<!-- Below are generally applicable Processing Instructions (PIs) that most I-Ds | ||||
might want to use. | ||||
(Here they are set differently than their defaults in xml2rfc v1.32) --> | ||||
<?rfc strict="yes" ?> | ||||
<!-- give errors regarding ID-nits and DTD validation --> | ||||
<!-- control the table of contents (ToC) --> | ||||
<?rfc toc="yes"?> | ||||
<!-- generate a ToC --> | ||||
<?rfc tocdepth="4"?> | ||||
<!-- the number of levels of subsections in ToC. default: 3 --> | ||||
<!-- control references --> | ||||
<?rfc symrefs="yes"?> | ||||
<!-- use symbolic references tags, i.e, [RFC2119] instead of [1] --> | ||||
<?rfc sortrefs="yes" ?> | ||||
<!-- sort the reference entries alphabetically --> | ||||
<!-- control vertical white space | ||||
(using these PIs as follows is recommended by the RFC Editor) --> | ||||
<?rfc compact="yes" ?> | ||||
<!-- do not start each main section on a new page --> | ||||
<?rfc subcompact="no" ?> | ||||
<!-- keep one blank line between list items --> | ||||
<!-- end of list of popular I-D processing instructions --> | ||||
<rfc category="std" docName="draft-ietf-ace-oauth-params-15" ipr="trust200902"> | ||||
<!-- category values: std, bcp, info, exp, and historic | ||||
ipr values: full3667, noModification3667, noDerivatives3667 | ||||
you can add the attributes updates="NNNN" and obsoletes="NNNN" | ||||
they will automatically be output with "(if approved)" --> | ||||
<!-- xml2rfc v2v3 conversion 3.9.1 --> | ||||
<!-- ***** FRONT MATTER ***** --> | <!-- ***** FRONT MATTER ***** --> | |||
<front> | <front> | |||
<!-- The abbreviated title is used in the page header - it is only necessary if the full title is longer than 39 characters --> | ||||
<title abbrev="ACE-OAuth-Params">Additional OAuth Parameters for Authorization i | <!--[rfced] Please note that the title and the short title (which appears in | |||
n Constrained Environments (ACE)</title> | the header of the PDF file) have been updated as follows. Please review. | |||
<!-- add 'role="editor"' below for the editors if appropriate --> | Title: | |||
Original: | ||||
Additional OAuth Parameters for Authorization in Constrained Environments (AC | ||||
E) | ||||
<!-- Another author who claims to be an editor --> | Current: | |||
Additional OAuth Parameters for Authentication and Authorization for | ||||
Constrained Environments (ACE) | ||||
Short Title: | ||||
Original: ACE-OAuth-Params | ||||
Current: OAuth Parameters for ACE | ||||
--> | ||||
-> | <title abbrev="OAuth Parameters for ACE">Additional OAuth Parameters for Authent | |||
ication and Authorization for Constrained Environments (ACE)</title> | ||||
<seriesInfo name="RFC" value="9201"/> | ||||
<author fullname="Ludwig Seitz" initials="L." surname="Seitz"> | <author fullname="Ludwig Seitz" initials="L." surname="Seitz"> | |||
<organization>Combitech</organization> | <organization>Combitech</organization> | |||
<address> | <address> | |||
<postal> | <postal> | |||
<street>Djäknegatan 31</street> | <street>Djäknegatan 31</street> | |||
<code>211 35</code> <city>Malmö</city> | <code>211 35</code> | |||
<city>Malmö</city> | ||||
<country>Sweden</country> | <country>Sweden</country> | |||
</postal> | </postal> | |||
<email>ludwig.seitz@combitech.com</email> | <email>ludwig.seitz@combitech.com</email> | |||
<!-- uri and facsimile elements may also be added --> | ||||
</address> | </address> | |||
</author> | </author> | |||
<date year="2022" month="March"/> | ||||
<date year="2021"/> | ||||
<!-- If the month and year are both specified and are the current ones, xml2 | ||||
rfc will fill | ||||
in the current day for you. If only the current year is specified, xml2 | ||||
rfc will fill | ||||
in the current day and month for you. If the year is not the current one | ||||
, it is necessary to specify at least a month (xml2rfc assumes day="1" if not sp | ||||
ecified for the purpose of calculating the expiry date). With drafts it is norm | ||||
ally sufficient to specify just the year. --> | ||||
<!-- Meta-data Declarations --> | <!-- Meta-data Declarations --> | |||
<area>Security</area> | <area>Security</area> | |||
<workgroup>ACE</workgroup> | ||||
<workgroup>ACE Working Group</workgroup> | <keyword>CoAP</keyword> | |||
<keyword>OAuth 2.0</keyword> | ||||
<!-- WG name at the upperleft corner of the doc, | <keyword>Access Control</keyword> | |||
IETF is fine for individual submissions. | <keyword>Authorization</keyword> | |||
If this element is not present, the default is "Network Working Group", | <keyword>Internet of Things</keyword> | |||
which is used by the RFC Editor as a nod to the history of the IETF. -- | ||||
> | ||||
<keyword>CoAP, OAuth 2.0, Access Control, Authorization, Internet of Things< | ||||
/keyword> | ||||
<!-- Keywords will be incorporated into HTML output | ||||
files in a meta tag but they have no effect on text or nroff | ||||
output. If you submit your draft to the RFC Editor, the | ||||
keywords will be used for the search engine. --> | ||||
<abstract> | <abstract> | |||
<t>This specification defines new parameters and encodings for the OAuth | <t>This specification defines new parameters and encodings for the OAuth | |||
2.0 token and introspection endpoints when used with the framework for | 2.0 token and introspection endpoints when used with the framework for | |||
authentication and authorization for constrained environments (ACE). | Authentication and Authorization for Constrained Environments (ACE). | |||
<!--[rfced] Would you like to replace instances of "proof-of-possession" | ||||
with "PoP" to match use in the companion documents?--> | ||||
These are used to express the proof-of-possession key the client | These are used to express the proof-of-possession key the client | |||
wishes to use, the proof-of-possession key that the Authorization Server | wishes to use, the proof-of-possession key that the authorization server | |||
has selected, and the key the Resource Server uses to authenticate | has selected, and the proof-of-possession key the resource server uses to | |||
authenticate | ||||
to the client.</t> | to the client.</t> | |||
</abstract> | </abstract> | |||
</front> | </front> | |||
<middle> | ||||
<!-- ***************************************************** --> | ||||
<middle> | <section anchor="intro" numbered="true" toc="default"> | |||
<name>Introduction</name> | ||||
<!-- ***************************************************** --> | <t>The Authentication and Authorization for Constrained Environments (ACE) | |||
specification <xref target="RFC9200" format="default"/> requires some new | ||||
<section anchor="intro" title="Introduction"> | parameters for interactions with the OAuth 2.0 <xref target="RFC6749" format=" | |||
default"/> token | ||||
<t>The Authentication and Authorization for Constrained Environments (ACE) | ||||
specification <xref target="I-D.ietf-ace-oauth-authz"/> requires some new | ||||
parameters for interactions with the OAuth 2.0 <xref target="RFC6749"/> token | ||||
and introspection endpoints, as well as some new claims to be used in access | and introspection endpoints, as well as some new claims to be used in access | |||
tokens. These parameters and claims can also be used in other contexts | tokens. These parameters and claims can also be used in other contexts | |||
and have therefore been put into a dedicated document, to | and have therefore been put into a dedicated document to | |||
facilitate their use in a manner independent of | facilitate their use in a manner independent of | |||
<xref target="I-D.ietf-ace-oauth-authz"/>.</t> | <xref target="RFC9200" format="default"/>.</t> | |||
<t>Note that although all examples are shown in Concise Binary Object | ||||
<t>Note that although all examples are shown in Concise Binary Object | Representation (CBOR) <xref target="RFC8949" format="default"/>, JSON | |||
Representation (CBOR) <xref target="RFC8949"/>, JSON | <xref target="RFC8259" format="default"/> <bcp14>MAY</bcp14> be used as an alt | |||
<xref target="RFC8259"/> MAY be used as an alternative for HTTP-based | ernative for HTTP-based | |||
communications, as specified in <xref target="I-D.ietf-ace-oauth-authz"/>.</t> | communications, as specified in <xref target="RFC9200" format="default"/>.</t> | |||
</section> | </section> | |||
<!-- ***************************************************** --> | ||||
<!-- ***************************************************** --> | ||||
<section anchor="terminology" title="Terminology"> | ||||
<t>The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL | ||||
NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and | ||||
"OPTIONAL" in this document are to be interpreted as described in BCP 14 <xref | ||||
target="RFC2119"/> <xref target="RFC8174"/> when, and only when, they appear in | ||||
all capitals, as shown here.</t> | ||||
<t>Readers are assumed to be familiar with the terminology from <xref | <section anchor="terminology" numbered="true" toc="default"> | |||
target="I-D.ietf-ace-oauth-authz"/>, especially the terminology | <name>Terminology</name> | |||
for entities in the architecture such as client (C), resource server (RS) | <t>The key words "<bcp14>MUST</bcp14>", "<bcp14>MUST NOT</bcp14>", "<bcp14 | |||
>REQUIRED</bcp14>", "<bcp14>SHALL</bcp14>", "<bcp14>SHALL | ||||
NOT</bcp14>", "<bcp14>SHOULD</bcp14>", "<bcp14>SHOULD NOT</bcp14>", "<bcp14>RECO | ||||
MMENDED</bcp14>", "<bcp14>NOT RECOMMENDED</bcp14>", "<bcp14>MAY</bcp14>", and | ||||
"<bcp14>OPTIONAL</bcp14>" in this document are to be interpreted as described in | ||||
BCP 14 <xref target="RFC2119" format="default"/> <xref target="RFC8174" format= | ||||
"default"/> when, and only when, they appear in all capitals, as shown here.</t> | ||||
<t>Readers are assumed to be familiar with the terminology from <xref targ | ||||
et="RFC9200" format="default"/>, especially the terminology | ||||
for entities in the architecture such as client (C), resource server (RS), | ||||
and authorization server (AS).</t> | and authorization server (AS).</t> | |||
<t>Terminology from <xref target="RFC8152" format="default"/> is used in t | ||||
he examples, | ||||
especially COSE_Key, which is defined in <xref target="RFC8152" sectionFormat= | ||||
"of" section="7"/>.</t> | ||||
<t>Note that the term "endpoint" is used here following its OAuth 2.0 | ||||
<xref target="RFC6749" format="default"/> definition, which is to denote r | ||||
esources | ||||
such as token and introspection at the AS and authz-info at the RS. The C | ||||
onstrained | ||||
Application Protocol (CoAP) <xref target="RFC7252" format="default"/> defi | ||||
nition, | ||||
which is "[a]n entity participating in the CoAP protocol", is not used in | ||||
this | ||||
specification.</t> | ||||
</section> | ||||
<!-- ***************************************************** --> | ||||
<t>Terminology from <xref target="RFC8152"/> is used in the examples, | <section anchor="tokenEndpoint" numbered="true" toc="default"> | |||
especially COSE_Key defined in section 7 of <xref target="RFC8152"/>.</t> | <name>Parameters for the Token Endpoint</name> | |||
<t>This section defines additional parameters for the interactions with | ||||
<t>Note that the term "endpoint" is used here following its OAuth 2.0 | the token endpoint in the ACE framework <xref target="RFC9200" format="default | |||
<xref target="RFC6749"/> definition, which is to denote resources such as | "/>.</t> | |||
token and introspection at the AS and authz-info at the RS. The Constrained | <section anchor="tokenRequest" numbered="true" toc="default"> | |||
Application Protocol (CoAP) <xref target="RFC7252"/> definition, which is "An | <name>Client-to-AS Request</name> | |||
entity participating in the CoAP protocol" is not used in this | <t>This section defines the "req_cnf" parameter allowing clients to | |||
specification.</t> | ||||
</section> | ||||
<!-- ***************************************************** --> | ||||
<section anchor="tokenEndpoint" title="Parameters for the Token Endpoint"> | ||||
<t>This section defines additional parameters for the interactions with | ||||
the token endpoint in the ACE framework <xref | ||||
target="I-D.ietf-ace-oauth-authz"/>.</t> | ||||
<section anchor="tokenRequest" title="Client-to-AS Request"> | ||||
<t>This section defines the "req_cnf" parameter allowing clients to | ||||
request a specific proof-of-possession key in an access token from a token | request a specific proof-of-possession key in an access token from a token | |||
endpoint in the ACE framework <xref target="I-D.ietf-ace-oauth-authz"/>: | endpoint in the ACE framework <xref target="RFC9200" format="default"/>: | |||
<list style="hanging"> | </t> | |||
<t hangText="req_cnf"><vspace blankLines="0"/> | <dl newline="true" spacing="normal"> | |||
OPTIONAL. This field contains information about the key the | <dt>req_cnf</dt> | |||
client would like to bind to the access token for proof-of-possession. | <dd> | |||
It is RECOMMENDED that an AS rejects a request containing a symmetric | <bcp14>OPTIONAL</bcp14>. This field contains information about the key t | |||
key value in the 'req_cnf' field (kty=Symmetric), since the AS is | he | |||
client would like to bind to the access token for proof of possession. | ||||
It is <bcp14>RECOMMENDED</bcp14> that an AS rejects a request containing | ||||
a symmetric | ||||
key value in the "req_cnf" field (kty=Symmetric), since the AS is | ||||
expected to be able to generate better symmetric keys than a | expected to be able to generate better symmetric keys than a | |||
constrained client (Note: this does not apply to key identifiers | constrained client. (Note: this does not apply to key identifiers | |||
referencing a symmetric key). The AS MUST verify that the client | referencing a symmetric key.) The AS <bcp14>MUST</bcp14> verify that the | |||
client | ||||
really is in possession of the corresponding key. Profiles of | really is in possession of the corresponding key. Profiles of | |||
<xref target="I-D.ietf-ace-oauth-authz"/> using this specification MUST | <xref target="RFC9200" format="default"/> using this specification | |||
define the proof-of-possession method used by the AS, if they allow | <bcp14>MUST</bcp14> | |||
define the proof-of-possession method used by the AS if they allow | ||||
clients to use this request parameter. Values of this parameter follow | clients to use this request parameter. Values of this parameter follow | |||
the syntax and semantics of the "cnf" claim either from section 3.1 of | the syntax and semantics of the "cnf" claim either from | |||
<xref target="RFC8747"/> for CBOR-based interactions or from section 3.1 | <xref target="RFC8747" sectionFormat="of" section="3.1"/> for CBOR-based | |||
of <xref target="RFC7800"/> for JSON-based interactions.</t> | interactions or from | |||
</list> | <xref target="RFC7800" sectionFormat="of" section="3.1"/> for JSON-based | |||
</t> | interactions.</dd> | |||
</dl> | ||||
<t><xref target="fig_symmATreq" format="default"/> shows a request for a | ||||
n access | ||||
token using the "req_cnf" parameter to request a specific public key as a | ||||
proof-of-possession key. The content is displayed in CBOR diagnostic | ||||
notation without abbreviations and with line breaks for better readabilit | ||||
y.</t> | ||||
<t><xref target="fig:symmATreq"/> shows a request for an access token | <!--[rfced] Please review the "type" attribute of each sourcecode element | |||
using the "req_cnf" parameter to request a specific public key as | in the XML file to ensure correctness. If the current list of preferred | |||
proof-of-possession key. The content is displayed in CBOR diagnostic | values for "type" (https://www.rfc-editor.org/materials/sourcecode-types.txt) | |||
notation, without abbreviations and with line-breaks for better readability. | does not contain an applicable type, then feel free to let us know.--> | |||
<figure align="center" anchor="fig:symmATreq" | <figure anchor="fig_symmATreq"> | |||
title="Example request for an access token bound to an | <name>Example Request for an Access Token Bound to an Asymmetric Key</ | |||
asymmetric key."> | name> | |||
<artwork align="left"><![CDATA[ | <sourcecode name="" type="cbor-diag"><![CDATA[ | |||
Header: POST (Code=0.02) | Header: POST (Code=0.02) | |||
Uri-Host: "as.example.com" | Uri-Host: "as.example.com" | |||
Uri-Path: "token" | Uri-Path: "token" | |||
Content-Format: "application/ace+cbor" | Content-Format: "application/ace+cbor" | |||
Payload: | Payload: | |||
{ | { | |||
"req_cnf" : { | "req_cnf" : { | |||
"COSE_Key" : { | "COSE_Key" : { | |||
"kty" : "EC2", | "kty" : "EC2", | |||
"kid" : h'11', | "kid" : h'11', | |||
"crv" : "P-256", | "crv" : "P-256", | |||
"x" : h'BAC5B11CAD8F99F9C72B05CF4B9E26D24 | "x" : h'BAC5B11CAD8F99F9C72B05CF4B9E26D24 | |||
4DC189F745228255A219A86D6A09EFF', | 4DC189F745228255A219A86D6A09EFF', | |||
"y" : h'20138BF82DC1B6D562BE0FA54AB7804A3 | "y" : h'20138BF82DC1B6D562BE0FA54AB7804A3 | |||
A64B6D72CCFED6B6FB6ED28BBFC117E' | A64B6D72CCFED6B6FB6ED28BBFC117E' | |||
} | } | |||
} | } | |||
} | } | |||
]]></artwork> | ]]></sourcecode> | |||
</figure></t> | </figure> | |||
</section><!-- C->AS --> | </section> | |||
<!-- C->AS --> | ||||
<section anchor="tokenResponse" title="AS-to-Client Response"> | ||||
<t>This section defines the following additional parameters for | <section anchor="tokenResponse" numbered="true" toc="default"> | |||
<name>AS-to-Client Response</name> | ||||
<t>This section defines the following additional parameters for | ||||
an AS response to a request to the token endpoint: | an AS response to a request to the token endpoint: | |||
<list style="hanging"> | </t> | |||
<t hangText="cnf"><vspace blankLines="0"/> | <dl newline="true" spacing="normal"> | |||
REQUIRED if the token type is "pop" and a symmetric key is used. | <dt>cnf</dt> | |||
MAY be present for asymmetric proof-of-possession keys. This field | <dd> | |||
<bcp14>REQUIRED</bcp14> if the token type is "pop" and a symmetric key is | ||||
used. | ||||
<bcp14>MAY</bcp14> be present for asymmetric proof-of-possession keys. T | ||||
his field | ||||
contains the proof-of-possession key that the AS selected for the | contains the proof-of-possession key that the AS selected for the | |||
token. Values of this parameter follow the syntax and semantics of the | token. Values of this parameter follow the syntax and semantics of the | |||
"cnf" claim either from section 3.1 of <xref target="RFC8747"/> for | "cnf" claim either from <xref target="RFC8747" sectionFormat="of" section | |||
CBOR-based interactions or from section 3.1 of <xref target="RFC7800"/> | ="3.1"/> | |||
for JSON-based interactions. See <xref target="paramCnf"/> for | for | |||
CBOR-based interactions or from <xref target="RFC7800" sectionFormat="of" | ||||
section="3.1"/> | ||||
for JSON-based interactions. See <xref target="paramCnf" format="default | ||||
"/> for | ||||
additional discussion of the usage of this parameter. | additional discussion of the usage of this parameter. | |||
<vspace blankLines="1"/></t> | </dd> | |||
<dt>rs_cnf</dt> | ||||
<t hangText="rs_cnf"><vspace blankLines="0"/> | <dd> | |||
OPTIONAL if the token type is "pop" and asymmetric keys are used. | <bcp14>OPTIONAL</bcp14> if the token type is "pop" and asymmetric keys ar | |||
MUST NOT be present otherwise. This field contains information about | e used. | |||
<bcp14>MUST NOT</bcp14> be present otherwise. This field contains informa | ||||
tion about | ||||
the public key used by the RS to authenticate. If this parameter is | the public key used by the RS to authenticate. If this parameter is | |||
absent, either the RS does not use a public key or the AS knows that | absent, either the RS does not use a public key or the AS knows that | |||
the RS can authenticate itself to the client without additional | the RS can authenticate itself to the client without additional | |||
information. Values of this parameter follow the syntax and semantics | information. Values of this parameter follow the syntax and semantics | |||
of the "cnf" claim either from section 3.1 of | of the "cnf" claim either from | |||
<xref target="RFC8747"/> for CBOR-based interactions or from section 3.1 | <xref target="RFC8747" sectionFormat="of" section="3.1"/> for CBOR-based | |||
of <xref target="RFC7800"/> for JSON-based interactions. See | interactions or from | |||
<xref target="paramCnf"/> for additional discussion of the usage of this | <xref target="RFC7800" sectionFormat="of" section="3.1"/> for JSON-based | |||
parameter. </t> | interactions. See | |||
</list> | <xref target="paramCnf" format="default"/> for additional discussion of t | |||
</t> | he usage | |||
of this parameter. </dd> | ||||
<t><xref target="fig:symmATres"/> shows an AS response containing a token | </dl> | |||
and a "cnf" parameter with a symmetric proof-of-possession key. | <t><xref target="fig_symmATres" format="default"/> shows an AS response | |||
containing | ||||
<figure align="center" anchor="fig:symmATres" | a token and a "cnf" parameter with a symmetric proof-of-possession key.</ | |||
title="Example AS response with an access token bound to a | t> | |||
symmetric key."> | <figure anchor="fig_symmATres"> | |||
<artwork align="left"><![CDATA[ | <name>Example AS Response with an Access Token Bound to a Symmetric Ke | |||
y</name> | ||||
<sourcecode name="" type="cbor-diag"><![CDATA[ | ||||
Header: Created (Code=2.01) | Header: Created (Code=2.01) | |||
Content-Format: "application/ace+cbor" | Content-Format: "application/ace+cbor" | |||
Payload: | Payload: | |||
{ | { | |||
"access_token" : h'4A5015DF686428 ... | "access_token" : h'4A5015DF686428 ... | |||
(remainder of CWT omitted for brevity; | (remainder of CWT omitted for brevity; | |||
CWT contains COSE_Key in the "cnf" claim)', | CWT contains COSE_Key in the "cnf" claim)', | |||
"cnf" : { | "cnf" : { | |||
"COSE_Key" : { | "COSE_Key" : { | |||
"kty" : "Symmetric", | "kty" : "Symmetric", | |||
"kid" : h'DFD1AA97', | "kid" : h'DFD1AA97', | |||
"k" : h'849B5786457C1491BE3A76DCEA6C427108' | "k" : h'849B5786457C1491BE3A76DCEA6C427108' | |||
} | } | |||
} | } | |||
} | } | |||
]]></artwork> | ]]></sourcecode> | |||
</figure></t> | </figure> | |||
<t><xref target="fig_asymmATres" format="default"/> shows an AS response | ||||
<t><xref target="fig:asymmATres"/> shows an AS response containing a token | containing | |||
bound to a previously requested asymmetric proof-of-possession key (not | a token bound to a previously requested asymmetric proof-of-possession ke | |||
shown) and a "rs_cnf" parameter containing the public key of the RS. | y (not | |||
<figure align="center" anchor="fig:asymmATres" | shown) and an "rs_cnf" parameter containing the public key of the RS.</t> | |||
title="Example AS response, including the RS's public key."> | <figure anchor="fig_asymmATres"> | |||
<artwork align="left"><![CDATA[ | <name>Example AS Response Including the RS's Public Key</name> | |||
<sourcecode name="" type="cbor-diag"><![CDATA[ | ||||
Header: Created (Code=2.01) | Header: Created (Code=2.01) | |||
Content-Format: "application/ace+cbor" | Content-Format: "application/ace+cbor" | |||
Payload: | Payload: | |||
{ | { | |||
"access_token" : h'D08343A1010AA1054D2A45DF6FBC5A5A ... | "access_token" : h'D08343A1010AA1054D2A45DF6FBC5A5A ... | |||
(remainder of CWT omitted for brevity)', | (remainder of CWT omitted for brevity)', | |||
"rs_cnf" : { | "rs_cnf" : { | |||
"COSE_Key" : { | "COSE_Key" : { | |||
"kty" : "EC2", | "kty" : "EC2", | |||
"kid" : h'12', | "kid" : h'12', | |||
"crv" : "P-256", | "crv" : "P-256", | |||
"x" : h'BCEE7EAAC162F91E6F330F5771211E220 | "x" : h'BCEE7EAAC162F91E6F330F5771211E220 | |||
B8B546C96589B0AC4AD0FD24C77E1F1', | B8B546C96589B0AC4AD0FD24C77E1F1', | |||
"y" : h'C647B38C55EFBBC4E62E651720F002D5D | "y" : h'C647B38C55EFBBC4E62E651720F002D5D | |||
75B2E0C02CD1326E662BCA222B90416' | 75B2E0C02CD1326E662BCA222B90416' | |||
} | } | |||
} | } | |||
} | } | |||
]]></artwork> | ]]></sourcecode> | |||
</figure></t> | </figure> | |||
</section><!-- AS->C --> | </section> | |||
</section> <!--Token Endpont--> | <!-- AS->C --> | |||
</section> | ||||
<section anchor="introsp" | <!--Token Endpont--> | |||
title="Parameters for the Introspection Endpoint"> | ||||
<t>This section defines the use of CBOR instead of JSON for the "cnf" | ||||
introspection response parameter specified in section 9.4 of <xref | ||||
target="RFC8705"/>.</t> | ||||
<t>If CBOR is used instead of JSON in an interaction with the introspection | ||||
endpoint, the AS MUST use the parameter mapping specified in <xref | ||||
target="fig:cborParameters"/> and the value must follow the syntax of "cnf" | ||||
claim values from section 3.1 of <xref | ||||
target="RFC8747"/>.</t> | ||||
<t><xref target="fig:introRes"/> shows an AS response to an introspection | <section anchor="introsp" numbered="true" toc="default"> | |||
<name>Parameters for the Introspection Endpoint</name> | ||||
<t>This section defines the use of CBOR instead of JSON for the "cnf" | ||||
introspection response parameter specified in <xref target="RFC8705" | ||||
sectionFormat="of" section="9.4"/>.</t> | ||||
<t>If CBOR is used instead of JSON in an interaction with the introspectio | ||||
n | ||||
endpoint, the AS <bcp14>MUST</bcp14> use the parameter mapping specified i | ||||
n <xref | ||||
target="fig_cborParameters" format="default"/> and the value must follow t | ||||
he syntax | ||||
of "cnf" claim values from <xref target="RFC8747" sectionFormat="of" | ||||
section="3.1"/>.</t> | ||||
<t><xref target="fig_introRes" format="default"/> shows an AS response to | ||||
an introspection | ||||
request including the "cnf" parameter to indicate the proof-of-possession | request including the "cnf" parameter to indicate the proof-of-possession | |||
key bound to the token. | key bound to the token. | |||
<figure align="center" anchor="fig:introRes" | </t> | |||
title="Example introspection response."> | <figure anchor="fig_introRes"> | |||
<artwork align="left"><![CDATA[ | <name>Example Introspection Response</name> | |||
<sourcecode name="" type="cbor-diag"><![CDATA[ | ||||
Header: Created (Code=2.01) | Header: Created (Code=2.01) | |||
Content-Format: "application/ace+cbor" | Content-Format: "application/ace+cbor" | |||
Payload: | Payload: | |||
{ | { | |||
"active" : true, | "active" : true, | |||
"scope" : "read", | "scope" : "read", | |||
"aud" : "tempSensor4711", | "aud" : "tempSensor4711", | |||
"cnf" : { | "cnf" : { | |||
"COSE_Key" : { | "COSE_Key" : { | |||
"kty" : "EC2", | "kty" : "EC2", | |||
"kid" : h'11', | "kid" : h'11', | |||
"crv" : "P-256", | "crv" : "P-256", | |||
"x" : h'BAC5B11CAD8F99F9C72B05CF4B9E26D24 | "x" : h'BAC5B11CAD8F99F9C72B05CF4B9E26D24 | |||
4DC189F745228255A219A86D6A09EFF', | 4DC189F745228255A219A86D6A09EFF', | |||
"y" : h'20138BF82DC1B6D562BE0FA54AB7804A3 | "y" : h'20138BF82DC1B6D562BE0FA54AB7804A3 | |||
A64B6D72CCFED6B6FB6ED28BBFC117E' | A64B6D72CCFED6B6FB6ED28BBFC117E' | |||
} | } | |||
} | } | |||
} | } | |||
]]></artwork> | ]]></sourcecode> | |||
</figure></t> | </figure> | |||
</section> <!-- introspection --> | </section> | |||
<!-- introspection --> | ||||
<section anchor="paramCnf" title="Confirmation Method Parameters"> | ||||
<t>The confirmation method parameters are used in | ||||
<xref target="I-D.ietf-ace-oauth-authz"/> as follows: | ||||
<list style="symbols"> | ||||
<t>"req_cnf" in the access token request C -> AS, OPTIONAL to indicate | ||||
the client's raw public key, or the key-identifier of a previously | ||||
established key between C and RS that the client wishes to use | ||||
for proof-of-possession of the access token.</t> | ||||
<t>"cnf" in the token response AS -> C, OPTIONAL if using an | ||||
asymmetric key or a key that the client requested via a key identifier | ||||
in the request. REQUIRED if the client didn't specify a "req_cnf" and | ||||
symmetric keys are used. Used to indicate the symmetric key generated | ||||
by the AS for proof-of-possession of the access token.</t> | ||||
<t>"cnf" in the introspection response AS -> RS, REQUIRED if the | ||||
access token that was subject to introspection is a proof-of-possession | ||||
token, absent otherwise. Indicates the proof-of-possession key bound | ||||
to the access token.</t> | ||||
<t>"rs_cnf" in the token response AS -> C, OPTIONAL to indicate the | ||||
public key of the RS, if it uses one to authenticate itself to the client | ||||
and the binding between key and RS identity is not established through | ||||
other means.</t> | ||||
</list></t> | ||||
<t>Note that the COSE_Key structure in a confirmation claim or parameter | ||||
may contain an "alg" or "key_ops" parameter. If such parameters are | ||||
present, a client MUST NOT use a key that is incompatible with | ||||
the profile or proof-of-possession algorithm according to those | ||||
parameters. An RS MUST reject a proof-of-possession using such a key with | ||||
a response code equivalent to the CoAP code 4.00 (Bad Request). | ||||
</t> | ||||
<t>If an access token is issued for an audience that includes several RS, | <section anchor="paramCnf" numbered="true" toc="default"> | |||
the "rs_cnf" parameter MUST NOT be used, since the client cannot | <name>Confirmation Method Parameters</name> | |||
<t>The confirmation method parameters are used in | ||||
<xref target="RFC9200" format="default"/> as follows: | ||||
</t> | ||||
<ul spacing="normal"> | ||||
<li>"req_cnf" in the access token request C -> AS, <bcp14>OPTIONAL</b | ||||
cp14> to | ||||
indicate the client's raw public key or the key identifier of a previous | ||||
ly | ||||
established key between the C and RS that the client wishes to use | ||||
for proof of possession of the access token.</li> | ||||
<li>"cnf" in the token response AS -> C, <bcp14>OPTIONAL</bcp14> if u | ||||
sing an | ||||
asymmetric key or a key that the client requested via a key identifier | ||||
in the request. <bcp14>REQUIRED</bcp14> if the client didn't specify a "r | ||||
eq_cnf" and | ||||
symmetric keys are used. Used to indicate the symmetric key generated | ||||
by the AS for proof of possession of the access token.</li> | ||||
<li>"cnf" in the introspection response AS -> RS, <bcp14>REQUIRED</bc | ||||
p14> if the | ||||
access token that was subject to introspection is a proof-of-possession | ||||
token, absent otherwise. Indicates the proof-of-possession key bound | ||||
to the access token.</li> | ||||
<li>"rs_cnf" in the token response AS -> C, <bcp14>OPTIONAL</bcp14> t | ||||
o indicate | ||||
the public key of the RS if it uses one to authenticate itself to the cli | ||||
ent | ||||
and the binding between the key and RS identity is not established throug | ||||
h | ||||
other means.</li> | ||||
</ul> | ||||
<t>Note that the COSE_Key structure in a confirmation claim or parameter | ||||
may contain an "alg" or "key_ops" parameter. If such parameters are | ||||
present, a client <bcp14>MUST NOT</bcp14> use a key that is incompatible w | ||||
ith | ||||
the profile or proof-of-possession algorithm according to those | ||||
parameters. An RS <bcp14>MUST</bcp14> reject a proof of possession using s | ||||
uch a key | ||||
with a response code equivalent to the CoAP code 4.00 (Bad Request). | ||||
</t> | ||||
<t>If an access token is issued for an audience that includes several RSs, | ||||
the "rs_cnf" parameter <bcp14>MUST NOT</bcp14> be used, since the client canno | ||||
t | ||||
determine for which RS the key applies. This document recommends to | determine for which RS the key applies. This document recommends to | |||
specify a different endpoint that the client can use to acquire RS | specify a different endpoint that the client can use to acquire RS | |||
authentication keys in such cases. The specification of such an endpoint | authentication keys in such cases. The specification of such an endpoint | |||
is out of scope for this document.</t> | is out of scope for this document.</t> | |||
</section> | </section> | |||
<section anchor="paramsCbor" numbered="true" toc="default"> | ||||
<section anchor="paramsCbor" title="CBOR Mappings"> | <name>CBOR Mappings</name> | |||
<t>If CBOR is used, the new parameters and claims defined in this document | <t>If CBOR is used, the new parameters and claims defined in this document | |||
MUST be mapped to CBOR types as specified in <xref | <bcp14>MUST</bcp14> be mapped to CBOR types, as specified in <xref target="fig | |||
target="fig:cborParameters"/>, using the given integer abbreviation for the | _cborParameters" format="default"/>, using the given integer abbreviation for th | |||
map key. | e | |||
map key.</t> | ||||
<figure align="center" anchor="fig:cborParameters" | <table anchor="fig_cborParameters" align="left"> | |||
title="CBOR mappings for new parameters and claims."> | <name>CBOR Mappings for New Parameters and Claims</name> | |||
<artwork align="left"><![CDATA[ | <thead> | |||
/----------+----------+-------------------------------------\ | <tr> | |||
| Name | CBOR Key | Value Type | Usage | | <th>Name</th> | |||
|----------+----------+-------------------------------------| | <th>CBOR Key</th> | |||
| req_cnf | TBD (4) | map | token request | | <th>Value Type</th> | |||
| cnf | TBD (8) | map | token response | | <th>Usage</th> | |||
| cnf | TBD (8) | map | introspection response | | </tr> | |||
| rs_cnf | TBD (41) | map | token response | | </thead> | |||
\----------+----------+------------+------------------------/ | <tbody> | |||
]]></artwork> | <tr> | |||
</figure> | <td>req_cnf</td> | |||
</t> | <td>4</td> | |||
</section> | <td>map</td> | |||
<td>token request</td> | ||||
<section anchor="asymmReq" title="Requirements when using asymmetric keys"> | </tr> | |||
<t>An RS using asymmetric keys to authenticate to the client MUST NOT | <tr> | |||
hold several different asymmetric key pairs, applicable to the same | <td>cnf</td> | |||
authentication algorithm. For example when using DTLS, the RS MUST NOT | <td>8</td> | |||
hold several asymmetric key pairs applicable to the same cipher suite. | <td>map</td> | |||
The reason for this restriction is that the RS has no way of determining | <td>token response</td> | |||
which key to use before the client's identity is established. Therefore | </tr> | |||
authentication attempts by the RS could randomly fail based on which key the | <tr> | |||
RS selects, unless the algorithm negotiation produces a unique choice of | <td>cnf</td> | |||
key pair for the RS. | <td>8</td> | |||
</t> | <td>map</td> | |||
</section> | <td>introspection response</td> | |||
</tr> | ||||
<section anchor="security" title="Security Considerations"> | <tr> | |||
<t>This document is an extension to <xref | <td>rs_cnf</td> | |||
target="I-D.ietf-ace-oauth-authz"/>. All security considerations | <td>41</td> | |||
from that document apply here as well.</t> | <td>map</td> | |||
</section> | <td>token response</td> | |||
</tr> | ||||
<section anchor="privacy" title="Privacy Considerations"> | </tbody> | |||
<t>This document is an extension to <xref | </table> | |||
target="I-D.ietf-ace-oauth-authz"/>. All privacy considerations | </section> | |||
from that document apply here as well.</t> | <section anchor="asymmReq" numbered="true" toc="default"> | |||
</section> | <name>Requirements When Using Asymmetric Keys</name> | |||
<t>An RS using asymmetric keys to authenticate to the client <bcp14>MUST N | ||||
<section anchor="iana" title="IANA Considerations"> | OT</bcp14> | |||
<section anchor="IANAOAuthParameter" | hold several different asymmetric key pairs applicable to the same | |||
title="OAuth Parameter Registration"> | authentication algorithm. For example, when using DTLS, the RS <bcp14>MUS | |||
<t>This section registers the following parameters in the "OAuth | T | |||
Parameters" registry <xref target="IANA.OAuthParameters"/>:</t> | NOT</bcp14> hold several asymmetric key pairs applicable to the same ciphe | |||
r suite. | ||||
<t><?rfc subcompact="yes"?> | The reason for this restriction is that the RS has no way of determining | |||
<list style='symbols'> | which key to use before the client's identity is established. Therefore, | |||
<t>Name: <spanx style="verb">req_cnf</spanx></t> | authentication attempts by the RS could randomly fail based on which key t | |||
<t>Parameter Usage Location: token request</t> | he | |||
<t>Change Controller: IESG</t> | RS selects, unless the algorithm negotiation produces a unique choice of k | |||
<t>Reference: <xref target="paramCnf"/> of [this document]</t> | ey pair | |||
</list></t> | for the RS.</t> | |||
</section> | ||||
<t><?rfc subcompact="yes"?> | <section anchor="security" numbered="true" toc="default"> | |||
<list style='symbols'> | <name>Security Considerations</name> | |||
<t>Name: <spanx style="verb">rs_cnf</spanx></t> | <t>This document is an extension to <xref target="RFC9200" format="default | |||
<t>Parameter Usage Location: token response</t> | "/>. All | |||
<t>Change Controller: IESG</t> | security considerations from that document apply here as well.</t> | |||
<t>Reference: <xref target="paramCnf"/> of [this document]</t> | </section> | |||
</list></t> | <section anchor="privacy" numbered="true" toc="default"> | |||
<name>Privacy Considerations</name> | ||||
<t><?rfc subcompact="yes"?> | <t>This document is an extension to <xref target="RFC9200" format="default | |||
<list style='symbols'> | "/>. All | |||
<t>Name: <spanx style="verb">cnf</spanx></t> | privacy considerations from that document apply here as well.</t> | |||
<t>Parameter Usage Location: token response</t> | </section> | |||
<t>Change Controller: IESG</t> | <section anchor="iana" numbered="true" toc="default"> | |||
<t>Reference: <xref target="paramCnf"/> of [this document]</t> | <name>IANA Considerations</name> | |||
</list></t> | <section anchor="IANAOAuthParameter" numbered="true" toc="default"> | |||
</section> | <name>OAuth Parameter Registration</name> | |||
<t>This section registers the following parameters in the "OAuth | ||||
<section anchor="IANATokenCBORMappingRegistration" | Parameters" registry <xref target="IANA.OAuthParameters" format="default" | |||
title="OAuth Parameters CBOR Mappings Registration"> | />:</t> | |||
<t>This section registers the following parameter mappings | <dl newline="false" spacing="compact"> | |||
in the "OAuth Parameters CBOR Mappings" registry established in | <dt>Name:</dt> | |||
section 8.9. of <xref target="I-D.ietf-ace-oauth-authz"/>.</t> | <dd><tt>req_cnf</tt></dd> | |||
<dt>Parameter Usage Location:</dt> | ||||
<t><?rfc subcompact="yes"?> | <dd>token request</dd> | |||
<list style='symbols'> | <dt>Change Controller:</dt> | |||
<t>Name: <spanx style="verb">req_cnf</spanx></t> | <dd>IETF</dd> | |||
<t>CBOR key: TBD (suggested: 4)</t> | <dt>Reference:</dt> | |||
<t>Change Controller: IESG</t> | <dd><xref target="paramCnf" format="default"/> of RFC 9201</dd> | |||
<t>Reference: <xref target="tokenRequest"/> of [this document]</t> | </dl> | |||
</list></t> | <dl newline="false" spacing="compact"> | |||
<dt>Name:</dt> | ||||
<t><?rfc subcompact="yes"?> | <dd><tt>rs_cnf</tt></dd> | |||
<list style='symbols'> | <dt>Parameter Usage Location:</dt> | |||
<t>Name: <spanx style="verb">cnf</spanx></t> | <dd>token response</dd> | |||
<t>CBOR key: TBD (suggested: 8)</t> | <dt>Change Controller:</dt> | |||
<t>Change Controller: IESG</t> | <dd>IETF</dd> | |||
<t>Reference: <xref target="tokenResponse"/> of [this document]</t> | <dt>Reference:</dt> | |||
</list></t> | <dd><xref target="paramCnf" format="default"/> of RFC 9201</dd> | |||
</dl> | ||||
<t><?rfc subcompact="yes"?> | <dl newline="false" spacing="compact"> | |||
<list style='symbols'> | <dt>Name:</dt> | |||
<t>Name: <spanx style="verb">rs_cnf</spanx></t> | <dd><tt>cnf</tt></dd> | |||
<t>CBOR key: TBD (suggested: 41)</t> | <dt>Parameter Usage Location:</dt> | |||
<t>Change Controller: IESG</t> | <dd>token response</dd> | |||
<t>Reference: <xref target="tokenResponse"/> of [this document]</t> | <dt>Change Controller:</dt> | |||
</list></t> | <dd>IETF</dd> | |||
</section> | <dt>Reference:</dt> | |||
<dd><xref target="paramCnf" format="default"/> of RFC 9201</dd> | ||||
<section anchor="IANAIntrospectCBORMappingRegistration" | </dl> | |||
title="OAuth Token Introspection Response CBOR Mappings | </section> | |||
Registration"> | <section anchor="IANATokenCBORMappingRegistration" numbered="true" toc="de | |||
<t>This section registers the following parameter mapping | fault"> | |||
in the "OAuth Token Introspection Response CBOR Mappings" registry | <name>OAuth Parameters CBOR Mappings Registration</name> | |||
established in section 8.11. of <xref | <t>This section registers the following parameter mappings | |||
target="I-D.ietf-ace-oauth-authz"/>.</t> | in the "OAuth Parameters CBOR Mappings" registry established in | |||
<xref target="RFC9200" sectionFormat="of" section="8.10"/>.</t> | ||||
<t><?rfc subcompact="yes"?> | <dl newline="false" spacing="compact"> | |||
<list style='symbols'> | <dt>Name:</dt> | |||
<t>Name: <spanx style="verb">cnf</spanx></t> | <dd><tt>req_cnf</tt></dd> | |||
<t>CBOR key: TBD (suggested: 8)</t> | <dt>CBOR Key:</dt> | |||
<t>Change Controller: IESG</t> | <dd>4</dd> | |||
<t>Reference: <xref target="introsp"/> of [this document]</t> | <dt>Value Type:</dt> | |||
</list></t> | <dd>map</dd> | |||
<dt>Reference:</dt> | ||||
</section> | <dd><xref target="tokenRequest" format="default"/> of RFC 9201</dd> | |||
</section><!-- IANA considerations --> | <dt>Original specification:</dt> | |||
<dd>RFC 9201</dd> | ||||
<section anchor="Acknowledgments" title="Acknowledgments"> | </dl> | |||
<t>This document is a product of the ACE working group of the IETF. | <dl newline="false" spacing="compact"> | |||
Special thanks to Brian Campbell for his thorough review of this document.</t> | <dt>Name:</dt> | |||
<dd><tt>cnf</tt></dd> | ||||
<t>Ludwig Seitz worked on this document as part of the CelticNext projects | <dt>CBOR Key:</dt> | |||
CyberWI, and CRITISEC with funding from Vinnova.</t> | <dd>8</dd> | |||
</section> | <dt>Value Type:</dt> | |||
<dd>map</dd> | ||||
<dt>Reference:</dt> | ||||
<dd><xref target="tokenResponse" format="default"/> of RFC 9201</dd> | ||||
<dt>Original specification:</dt> | ||||
<dd>RFC 9201</dd> | ||||
</dl> | ||||
<dl newline="false" spacing="compact"> | ||||
<dt>Name:</dt> | ||||
<dd><tt>rs_cnf</tt></dd> | ||||
<dt>CBOR Key:</dt> | ||||
<dd>41</dd> | ||||
<dt>Value Type:</dt> | ||||
<dd>map</dd> | ||||
<dt>Reference:</dt> | ||||
<dd><xref target="tokenResponse" format="default"/> of RFC 9201</dd> | ||||
<dt>Original specification:</dt> | ||||
<dd>RFC 9201</dd> | ||||
</dl> | ||||
</section> | ||||
<section anchor="IANAIntrospectCBORMappingRegistration" numbered="true" to | ||||
c="default"> | ||||
<name>OAuth Token Introspection Response CBOR Mappings Registration</nam | ||||
e> | ||||
<t>This section registers the following parameter mapping | ||||
in the "OAuth Token Introspection Response CBOR Mappings" registry | ||||
established in <xref target="RFC9200" sectionFormat="of" section="8.12"/> | ||||
.</t> | ||||
<dl newline="false" spacing="compact"> | ||||
<dt>Name:</dt> | ||||
<dd><tt>cnf</tt></dd> | ||||
<dt>CBOR Key:</dt> | ||||
<dd>8</dd> | ||||
<dt>Value Type:</dt> | ||||
<dd>map</dd> | ||||
<dt>Reference:</dt> | ||||
<dd><xref target="introsp" format="default"/> of RFC 9201</dd> | ||||
<dt>Original specification:</dt> | ||||
<dd><xref target="RFC8705" format="default"/></dd> | ||||
</dl> | ||||
</section> | ||||
</section> | ||||
<!-- Possibly a 'Contributors' section ... --> | ||||
</middle> | </middle> | |||
<!-- *****BACK MATTER ***** --> | <!-- *****BACK MATTER ***** --> | |||
<back> | <back> | |||
<!-- References split into informative and normative --> | <!-- References split into informative and normative --> | |||
<!-- There are 2 ways to insert reference entries from the citation librarie | <references> | |||
s: | <name>References</name> | |||
1. define an ENTITY at the top, and use "ampersand character"RFC2629; here | <references> | |||
(as shown) | <name>Normative References</name> | |||
2. simply use a PI "less than character"?rfc include="reference.RFC.2119.xm | <!-- [I-D.ietf-ace-oauth-authz] - companion document RFC 9200 --> | |||
l"?> here | <reference anchor='RFC9200' target='https://www.rfc-editor.org/info/rfc9200'> | |||
(for I-Ds: include="reference.I-D.narten-iana-considerations-rfc2434bis. | <front> | |||
xml") | <title>Authentication and Authorization for Constrained Environments (ACE) Using | |||
the OAuth 2.0 Framework (ACE-OAuth)</title> | ||||
Both are cited textually in the same manner: by using xref elements. | <author initials='L' surname='Seitz' fullname='Ludwig Seitz'> | |||
If you use the PI option, xml2rfc will, by default, try to find included fi | <organization /> | |||
les in the same | </author> | |||
directory as the including file. You can also define the XML_LIBRARY enviro | <author initials='G' surname='Selander' fullname='Göran Selander'> | |||
nment variable | <organization /> | |||
with a value containing a set of directories to search. These can be eithe | </author> | |||
r in the local | <author initials='E' surname='Wahlstroem' fullname='Erik Wahlstroem'> | |||
filing system or remote ones accessed by http (http://domain/dir/... ).--> | <organization /> | |||
</author> | ||||
<author initials='S' surname='Erdtman' fullname='Samuel Erdtman'> | ||||
<organization /> | ||||
</author> | ||||
<author initials='H' surname='Tschofenig' fullname='Hannes Tschofenig'> | ||||
<organization /> | ||||
</author> | ||||
<date year='2022' month='March' /> | ||||
</front> | ||||
<seriesInfo name="RFC" value="9200"/> | ||||
<seriesInfo name="DOI" value="10.17487/RFC9200"/> | ||||
</reference> | ||||
<references title="Normative References"> | <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.R | |||
<!--?rfc include="http://xml.resource.org/public/rfc/bibxml/reference.RFC. | FC.2119.xml"/> | |||
2119.xml"?--> | <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.R | |||
&I-D.ietf-ace-oauth-authz; | FC.6749.xml"/> | |||
&RFC2119; | <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.R | |||
&RFC6749; | FC.7800.xml"/> | |||
&RFC7800; | <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.R | |||
&RFC8152; | FC.8152.xml"/> | |||
&RFC8174; | <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.R | |||
&RFC8259; | FC.8174.xml"/> | |||
&RFC8705; | <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.R | |||
&RFC8747; | FC.8259.xml"/> | |||
&RFC8949; | <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.R | |||
<reference anchor="IANA.OAuthParameters" target="https://www.iana.org/assi | FC.8705.xml"/> | |||
gnments/oauth-parameters/oauth-parameters.xhtml#parameters"> | <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.R | |||
<front> | FC.8747.xml"/> | |||
<title>OAuth Parameters</title> | <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.R | |||
<author> | FC.8949.xml"/> | |||
<organization>IANA</organization> | ||||
</author> | ||||
<date/> | ||||
</front> | ||||
</reference> | ||||
</references> | ||||
<references title="Informative References"> | <reference anchor="IANA.OAuthParameters" target="https://www.iana.org/as | |||
&RFC7252; | signments/oauth-parameters"> | |||
<front> | ||||
<title>OAuth Parameters</title> | ||||
<author> | ||||
<organization>IANA</organization> | ||||
</author> | ||||
</front> | ||||
</reference> | ||||
</references> | ||||
<references> | ||||
<name>Informative References</name> | ||||
<xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.R | ||||
FC.7252.xml"/> | ||||
</references> | ||||
</references> | </references> | |||
<section anchor="Acknowledgments" numbered="false" toc="default"> | ||||
<name>Acknowledgments</name> | ||||
<t>This document is a product of the ACE Working Group of the IETF. | ||||
Special thanks to <contact fullname="Brian Campbell"/> for his thorough re | ||||
view of | ||||
this document.</t> | ||||
<t><contact fullname="Ludwig Seitz"/> worked on this document as part of t | ||||
he | ||||
CelticNext projects CyberWI and CRITISEC with funding from Vinnova.</t> | ||||
</section> | ||||
</back> | </back> | |||
</rfc> | ||||
</rfc> | ||||
<!-- LocalWords: Combitech Djäknegatan Malmö CoAP CBOR JSON BCP req | <!-- LocalWords: Combitech Djäknegatan Malmö CoAP CBOR JSON BCP req | |||
--> | --> | |||
<!-- LocalWords: authz cnf DTLS RPK COSE alg JWT IESG TBD PoP IETF | <!-- LocalWords: authz cnf DTLS RPK COSE alg JWT IESG TBD PoP IETF | |||
--> | --> | |||
<!-- LocalWords: Seitz CelticNext CyberWI CRITISEC Vinnova Ds xml | <!-- LocalWords: Seitz CelticNext CyberWI CRITISEC Vinnova Ds xml | |||
--> | --> | |||
<!-- LocalWords: rfc http IANA | <!-- LocalWords: rfc http IANA | |||
--> | --> | |||
End of changes. 52 change blocks. | ||||
458 lines changed or deleted | 516 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ |